Two young hackers have been sentenced to five and a half years in prison for carrying out the 2024 cyberattack on Transport for London (TfL), an incident that disrupted critical transport services across the UK capital and caused an estimated £29 million in damages.

Owen Flowers, 18, and Thalha Jubair, 20, were sentenced at Woolwich Crown Court on 16 July 2026 after pleading guilty to the UK’s most serious cybercrime offence under Section 3ZA of the Computer Misuse Act 1990. Prosecutors said the pair admitted they were reckless about whether their actions could create a significant risk of serious harm to the public. Authorities believe this is the first successful conviction under the law’s toughest cybercrime provision.

The attack took place between 31 August and 3 September 2024 and forced TfL to shut down 148 computer systems. Every one of the organization’s 27,000 employees had to return to the office to reset passwords in person. The disruption affected several key services, including Dial-a-Ride for vulnerable passengers, digital payment systems, concessionary travel card processing, Oyster photocard applications, contactless ticketing expansion, and customer refund services.

TfL also confirmed that attackers accessed customer information, including names, email addresses, and in some cases home addresses. Refund records containing bank account details and sort codes belonging to around 5,000 customers may also have been exposed during the breach.

Investigators said the hackers communicated through Telegram while sharing access to TfL’s systems using a remote online workspace. Digital evidence recovered from Flowers’ devices included screenshots showing connections to TfL infrastructure and videos allegedly recording Jubair navigating the transport authority’s internal network during the attack.

READ
Iran Allegedly Exploited Mobile Network Flaws to Track U.S. Military Personnel

The National Crime Agency (NCA) arrested Flowers on 6 September 2024, only days after the TfL breach ended. At the time of his arrest, investigators said he was actively targeting two major US healthcare organizations, SSM Health Care Corporation and Sutter Health. Authorities seized multiple computers, storage devices, and USB drives that linked him to all three attacks.

Flowers also admitted involvement in separate cyberattacks targeting the two US healthcare providers. Prosecutors said he threatened to lock down hospital systems and acknowledged in online conversations that such an attack “might kill some 90-year-old on life support.” Officials said his arrest prevented those attacks from progressing further.

The NCA described both men as leading members of the cybercriminal group widely known as Scattered Spider, also tracked by security researchers as Octo Tempest, UNC3944, and 0ktapus. Prosecutors were more cautious, stating that the defendants had claimed membership in a hacking group believed to have carried out hundreds of cyberattacks between 2022 and 2025. The FBI has previously linked the group to data extortion, SIM-swapping, and sophisticated social engineering campaigns.

Authorities said the potential consequences could have been far worse. According to the NCA, a complete shutdown of TfL’s network could have caused economic losses of up to £56 billion. That scenario was avoided after TfL disconnected its own systems to contain the intrusion before the attackers could inflict additional damage.


Buy ExpressVPN with PayPal or Credit Card

Jubair also continues to face separate criminal charges in the United States. A complaint filed in New Jersey alleges his involvement in approximately 120 network intrusions affecting at least 47 US victims between 2022 and 2025, generating more than $115 million in ransomware payments. US prosecutors have also accused him of participating in attacks against critical infrastructure and the US federal court system, along with laundering millions of dollars in cryptocurrency. Those allegations remain untested in court, and no extradition decision has been announced.

READ
Microsoft Fixes Critical Age of Empires II Bug That Could Let Hackers Take Over PCs
Advertisement